Mageia 2019-0277: nodejs security update

    Date15 Sep 2019
    CategoryMageia
    1577
    Posted ByLinuxSecurity Advisories
    This update provides nodejs v6.17.1 fixing atleast the following security issues: The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given
    MGASA-2019-0277 - Updated nodejs packages fix security vulnerabilities
    
    Publication date: 15 Sep 2019
    URL: https://advisories.mageia.org/MGASA-2019-0277.html
    Type: security
    Affected Mageia releases: 6
    CVE: CVE-2017-1000381,
         CVE-2018-7158,
         CVE-2018-7159,
         CVE-2018-7160,
         CVE-2018-7167,
         CVE-2018-12115,
         CVE-2018-12116,
         CVE-2018-12120,
         CVE-2018-12121,
         CVE-2018-12122,
         CVE-2018-12123,
         CVE-2019-5737,
         CVE-2019-5739
    
    This update provides nodejs v6.17.1 fixing atleast the following security
    issues:
    
    The c-ares function ares_parse_naptr_reply(), which is used for parsing
    NAPTR responses, could be triggered to read memory outside of the given
    input buffer (CVE-2017-1000381) 
    
    Fix for 'path' module regular expression denial of service (CVE-2018-7158)
    
    Reject spaces in HTTP Content-Length header values (CVE-2018-7159)
    
    Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)
    
    buffer: Fixes Denial of Service vulnerability where calling Buffer.fill()
    could hang (CVE-2018-7167)
    
    buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding
    (CVE-2018-12115)
    
    Node.js: HTTP request splitting (CVE-2018-12116)
    
    Node.js: Debugger port 5858 listens on any interface by default
    (CVE-2018-12120)
    
    Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
    
    Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122)
    
    Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
    
    Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)
    
    Node.js: Denial of Service with keep-alive HTTP connections (CVE-2019-5739)
    
    For other fixes in this update, see the referenced release logs.
    
    References:
    - https://bugs.mageia.org/show_bug.cgi?id=21330
    - https://nodejs.org/en/blog/release/v6.11.0/
    - https://nodejs.org/en/blog/release/v6.11.1/
    - https://nodejs.org/en/blog/release/v6.11.2/
    - https://nodejs.org/en/blog/release/v6.11.3/
    - https://nodejs.org/en/blog/release/v6.11.4/
    - https://nodejs.org/en/blog/release/v6.12.0/
    - https://nodejs.org/en/blog/release/v6.12.1/
    - https://nodejs.org/en/blog/release/v6.12.2/
    - https://nodejs.org/en/blog/release/v6.12.3/
    - https://nodejs.org/en/blog/release/v6.13.0/
    - https://nodejs.org/en/blog/release/v6.13.1/
    - https://nodejs.org/en/blog/release/v6.14.0/
    - https://nodejs.org/en/blog/release/v6.14.1/
    - https://nodejs.org/en/blog/release/v6.14.2/
    - https://nodejs.org/en/blog/release/v6.14.3/
    - https://nodejs.org/en/blog/release/v6.15.0/
    - https://nodejs.org/en/blog/release/v6.15.1/
    - https://nodejs.org/en/blog/release/v6.16.0/
    - https://nodejs.org/en/blog/release/v6.17.0/
    - https://nodejs.org/en/blog/release/v6.17.1/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7158
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7159
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7160
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7167
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12115
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12120
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12121
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12122
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12123
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5737
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5739
    
    SRPMS:
    - 6/core/nodejs-6.17.1-8.mga6
    - 6/core/http-parser-2.9.2-1.mga6
    - 6/core/libuv-1.16.1-1.mga6
    

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.